Information Disclosure
Monthly
Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.
Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.
Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.
Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.
Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.
System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.
Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.
Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.
The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.
Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.
Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.
Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a double kref_put() on a queue object by sending an Initialization Connection Request (ICReq) and immediately closing the connection. The flaw, fixed in stable releases 6.12.88, 6.18.30, and 7.0.7 (mainline 7.1-rc2), stems from nvmet_tcp_handle_icreq() updating queue->state without serializing against concurrent target-side queue teardown, defeating the DISCONNECTING-state guard and enabling a use-after-free condition. No public exploit identified at time of analysis and EPSS is very low (0.02%), indicating limited real-world exploitation interest despite the headline 9.8 CVSS.
Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.
Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.
Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.
Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.
Local privilege escalation potential in the Linux kernel's btrfs filesystem stems from a double-free in create_space_info() when kobject_init_and_add() fails during sysfs registration. The flaw affects multiple stable Linux branches (6.6.x, 6.12.x, 6.18.x prior to the fixed releases) and could allow a local attacker with low privileges to corrupt kernel memory; no public exploit identified at time of analysis and EPSS is very low (0.02%).
Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.
Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.
Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.
Information disclosure in the Linux kernel isofs filesystem allows authenticated NFS peers to read arbitrary in-range blocks from the backing device by submitting crafted NFS file handles to isofs_export_iget(). The flaw resides in isofs_fh_to_dentry() and isofs_fh_to_parent(), which previously only rejected block==0 before passing the attacker-controlled block number to sb_bread(), exposing unrelated adjacent-partition data as iso_inode_info fields returned to NFS clients. No public exploit identified at time of analysis, EPSS is 0.02% (5th percentile), and this is reported as hardening adjacent to the prior CVE-2025-37780 fix.
Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.
Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).
Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.
Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA/mana driver allows authenticated local users to trigger a user-reachable WARN_ON() and subsequently corrupt kernel memory by specifying Work Queues that share the same Completion Queue through the uAPI of mana_ib_create_qp_rss(). The flaw affects Linux 6.8 through versions before the patched 6.12.91, 6.18.30, 7.0.7, and 7.1-rc3 releases. No public exploit identified at time of analysis, and EPSS scoring is low at 0.02%.
Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_vec segments that belong to different zone-device dev_pagemaps, corrupting the ability to recover the correct pgmap via page_pgmap() for the merged segment. The flaw affects systems using zone device memory registered in multiple chunks (e.g., DAX/persistent memory or GPU/accelerator memory backends) and was fixed upstream; no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.
Local privilege escalation risk in the Linux kernel's RDMA/hns driver stems from an unlocked call to hns_roce_qp_remove() in the error unwind path of hns_roce_qp_remove_common(). Low-privileged local users on systems with HiSilicon RoCE (hns) RDMA hardware could trigger the error flow to corrupt kernel memory, with EPSS at 0.02% indicating no known exploitation, and no public exploit identified at time of analysis.
Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.
Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.
Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.
Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.
Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.
Local denial of service in the Linux kernel's mpt3sas SCSI driver allows a privileged local user to trigger a kernel oops by issuing oversized NVMe I/O operations against drives behind Broadcom/LSI MPT3 SAS HBAs. The flaw stems from a size mismatch between firmware-reported MDTS values and the driver's fixed 4K PRP list buffer, and no public exploit identified at time of analysis. EPSS is very low (0.02%, 4th percentile), consistent with a kernel reliability bug requiring local privileged access rather than a remote attack surface.
SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.
Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.
Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.
Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Arbitrary file write in Veeam Backup & Replication 13 (≤13.0.1) on Linux-based deployments allows an authenticated Backup Administrator to write files anywhere on the server filesystem, enabling code execution and full host compromise. CVSS 4.0 scores this 8.6 (High) due to network-reachable exploitation with high impact across confidentiality, integrity, and availability, though high privileges are required. No public exploit identified at time of analysis.
Information disclosure in Red Hat Build of Keycloak exposes client protocol type to unauthenticated remote attackers via error message enumeration. By submitting specially crafted SOAP requests targeting the SAML ECP (Enhanced Client or Proxy) endpoint with varying client IDs, an attacker can observe distinct faultstring values in server responses and map which clients use which protocol types. No authentication, user interaction, or elevated privileges are required, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is straightforward against any exposed instance. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Arbitrary user data manipulation in SourceBans Material Admin web application before v1.1.6 (commit 3ecd95e) allows remote unauthenticated attackers to alter other users' records by sending crafted XAJAX calls. The flaw stems from insufficient input validation (CWE-20) in the XAJAX request handler and is tagged as an Information Disclosure issue. No public exploit has been identified at time of analysis, and EPSS scores the likelihood of near-term exploitation at only 0.02% (5th percentile).
Unauthenticated information disclosure in FUXA 1.3.0 (web-based SCADA/HMI server, npm package fuxa-server) lets remote attackers retrieve full project configuration from the GET /api/project endpoint even when secureEnabled is turned on. The exposed data includes server-side script source code, device connection details, HMI view layouts with tag bindings, and alarm definitions. Publicly available exploit code exists (a single unauthenticated curl request demonstrated in the GitHub advisory), and the CVSS vector confirms unauthenticated network exploitation rated 7.5 (confidentiality-only impact); there is no public exploit identified as actively exploited in CISA KEV.
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an `Access-Control-Allow-Origin: *` header, which overrides the `allowed-origins`/`allowed-hosts` controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.
Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.
Unauthenticated information disclosure in Automad CMS (Composer package automad/automad) versions 2.0.0-alpha.1 through 2.0.0-beta.27 lets any remote attacker retrieve the bcrypt password hash of every administrator account through a single POST request to the setup endpoint. The /_api/user-collection/create-first-user endpoint stays publicly reachable after initial configuration and returns fully serialized user records, and in 2.0.0-beta.27 it additionally leaks TOTP two-factor secrets. There is no public exploit identified at time of analysis, but exploitation is trivial (network, no authentication, no user interaction) and the issue was fixed in 2.0.0-beta.28.
Thread-safety flaws in pam_usb's deny_remote feature allow incorrect remote-session authentication decisions in display managers like GDM that run concurrent authentication threads. Three functions use the non-reentrant strtok(), whose single global state pointer can be overwritten mid-parse by a racing thread, corrupting tmux session data or /proc environ analysis used to classify sessions as local or remote. Compounding this, strtok() is called directly on the raw pointer returned by getenv(TMUX), inserting NUL bytes directly into the live process environment block and permanently corrupting the TMUX variable for all subsequent authentications in that long-lived process. An attacker with local low-privileged access on an affected system running GDM could exploit thread interleaving to cause deny_remote=true to pass a remote session as local. No public exploit identified at time of analysis; CVSS 6.3 with local, high-complexity attack vector.
Authentication/claim-validation bypass in Symfony's OidcTokenHandler (symfony/security-http 6.3.0–6.4.39, 7.4.0–7.4.11, 8.0.0–8.0.11) lets a validly-signed JWT that simply omits the aud, iss, and exp claims pass verification, because the handler never marks those claims as mandatory. Attackers holding such a token can be authenticated as a valid identity — for example a token issued for a different audience or one that should have expired is accepted. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile).
Argument (option) injection in Symfony Mailer's SendmailTransport lets a dash-prefixed recipient address be interpreted as a sendmail command-line flag, allowing an attacker who controls a recipient value to manipulate how the local sendmail binary is invoked. It affects symfony/mailer (and the monolithic symfony/symfony) before 5.4.52, 6.4.40, 7.4.12 and 8.0.12 when the transport runs in `-t` mode. No public exploit identified at time of analysis; EPSS is low (0.06%, 20th percentile) and the issue is not in CISA KEV, but the NVD CVSS 4.0 score is 8.7 (High) driven by a high integrity impact.
Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Email-header and SMTP command injection (CWE-93) in Symfony's Mime component (symfony/mime, also shipped in the symfony/symfony monolith) lets an attacker who controls any address value smuggle CRLF sequences past a trusted validation boundary. The Address value-object - used for every Mailer to/cc/bcc/from/reply-to address - accepts an RFC-5322 quoted-string local-part containing raw carriage-return/line-feed bytes, which is later emitted verbatim into rendered message headers and into SmtpTransport's MAIL FROM/RCPT TO lines, allowing injection of new headers (e.g. an unauthorized Bcc) or new SMTP commands. It affects symfony/mime before 5.4.52, 6.4.40, and 7.4.12; there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Symfony HtmlSanitizer's UrlSanitizer::parse() passes Unicode BiDi override characters (U+202A-U+202E, U+2066-U+2069) unchanged into href and src HTML attributes, enabling visual URL spoofing against any application that renders sanitized user-supplied HTML to other users. All HtmlSanitizer configurations that permit links or media elements are affected across symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11, as well as the bundled symfony/symfony 6.1.0-6.4.39. No public exploit has been released and this CVE is not listed in CISA KEV, but the BiDi spoofing technique is a well-documented, low-complexity phishing primitive requiring no authentication on the attacker's side.
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
Denial of service in CrowdSec's Local API (LAPI) HTTP router, versions 1.7.0 through 1.7.7, lets attackers exhaust process memory by posting small gzip-compressed bodies that decompress into hundreds of megabytes of valid JSON. The global gin-contrib/gzip DefaultDecompressHandle middleware decompressed request bodies with no size cap, and because /v1/watchers and /v1/watchers/login require no authentication, concurrent requests drive the OS OOM-killer to terminate LAPI. No public exploit identified at time of analysis; EPSS is low (0.07%). Impact is bounded in default deployments since LAPI listens only on loopback, but multi-server setups that expose LAPI to the network are at real risk.
Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.
Unauthorized CI data access in GitLab CE/EE allows an authenticated low-privileged user to read CI pipeline data from a ref type (branch, tag, or merge request ref) other than the one they are authorized to view, under certain unspecified conditions. All GitLab installations - both Community and Enterprise editions - running versions from 12.7 through the unpatched releases are affected. The vulnerability is classified as information disclosure with low confidentiality impact; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Sandbox escape in OneUptime before 10.0.98 lets an authenticated user break out of the Node.js vm-module isolation that the platform relies on to safely run untrusted logic, gaining code execution in the host context. The vm module was never intended as a security boundary and can be escaped using error objects and infinite recursion, yielding full confidentiality, integrity, and availability impact (CVSS 9.9, scope-changed). No public exploit is identified at time of analysis, but the escape technique is well-documented for the Node.js vm module generally.
Server-side request forgery in Budibase before 3.39.0 lets an authenticated user with the BUILDER role coerce the platform into making attacker-controlled outbound requests by setting a malicious OAuth2 token endpoint URL. Because the token fetch path bypassed the codebase's existing SSRF-blocking HTTP wrapper, responses from internal-only services such as the CouchDB database or cloud instance metadata endpoints can be exfiltrated. No public exploit identified at time of analysis, but the flaw is straightforward to trigger and EPSS/KEV signals were not supplied.
Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in 3.38.3.
Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.
Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.
Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.
Protocol-relative URL injection in Symfony's UrlGenerator allows open redirect via regex alternation bypass in route parameter validation. When route requirements use alternation patterns (e.g., `_locale: 'en|fr|vi|de'`), the validation regex `#^REQUIREMENT$#` fails to anchor middle alternatives due to regex operator precedence, enabling substring matching against attacker-supplied values. An attacker who can influence route parameters fed into the Twig `path()`/`url()` helpers can inject a value like `/evil.com` - which satisfies the requirement by containing `vi` as a substring - causing UrlGenerator to produce `//evil.com/...`, a protocol-relative URL the browser navigates off-site. No public exploit is identified at time of analysis, and the vulnerability is not listed in CISA KEV; patches are released across all supported Symfony branches.
Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.
Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.
Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.
Credential exposure in IBM Guardium Data Protection's Long Term Retention (LTR) add-on feature allows authenticated network users to obtain sensitive credentials when the system is operating in debug mode. Affected versions are 12.2.1 (up to and including Fix Pack 4.4.7 Fix Pack 1) and 12.2.2. The high confidentiality impact (C:H) reflects that fully valid credentials - not just partial data - may be disclosed, potentially enabling lateral movement or privilege escalation within the data protection infrastructure. No public exploit has been identified at time of analysis, and SSVC assessment confirms no active exploitation.
Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.
Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.
Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.
Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.
Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.
Remote denial of service in the Linux kernel's stream parser (strparser) subsystem allows attackers to exhaust memory by repeatedly triggering message assembly timeouts that fail to release partially assembled skb buffers. The flaw resides in strp_abort_strp(), which leaks strp->skb_head on abort, and affects kernels from at least 4.9 through the 6.x and 7.x release lines until the fix introduced in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects low predicted exploitation in the next 30 days despite the CVSS 7.5 rating.
Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.
Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.
Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Memory leak in the Linux kernel's TPM2 session subsystem allows a local low-privileged user to exhaust kernel memory over time via repeated invocations of the vulnerable tpm2_read_public() function. The function allocates a kernel buffer via tpm_buf_init() but fails to call tpm_buf_destroy() on both its success path and its error path triggered by an unrecognized hash algorithm, leaking a page allocation each time. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% at the 4th percentile reflects very low real-world exploitation probability.
Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.
Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.
Heap memory disclosure in the Linux kernel usblp USB printer driver allows a local attacker with a malicious USB printer to expose up to 1021 bytes of uninitialized kmalloc heap to userspace. The driver's usblp_cache_device_id_string() blindly trusts a device-supplied 2-byte big-endian length prefix in the IEEE 1284 GET_DEVICE_ID response, leaking stale kernel heap contents via the ieee1284_id sysfs attribute and the IOCNR_GET_DEVICE_ID ioctl. No public exploit identified at time of analysis; EPSS is 0.02% (5th percentile) and the vulnerability is not listed in CISA KEV, but vendor patches are confirmed across multiple stable kernel branches.
Incorrect hardware chip-select management in the Linux kernel spi/microchip-core-qspi driver causes the built-in hardware CS line to assert spuriously during SPI transactions directed at GPIO-managed chip selects on multi-device coreQSPI controllers. Systems using Microchip coreQSPI IP hardware with two or more attached SPI devices - where at least one device uses the built-in hardware CS - are subject to unintended bus assertion that can crash or disrupt SPI-dependent peripherals, producing a high-availability impact. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with the narrow embedded-hardware topology required for manifestation; the vulnerability is not in CISA KEV.
Two distinct bugs in the Linux kernel's pKVM (protected KVM) arm64 vCPU initialization path allow a local low-privileged user to cause persistent resource pin leaks and observe partially initialized memory objects. The pin leak (Bug 1) occurs when an error path in __pkvm_init_vcpu() jumps to cleanup without releasing hyp_pin_shared_mem() references on host vCPU and SVE state pages, permanently exhausting pin references and ultimately degrading or crashing the hypervisor subsystem. A separate memory ordering flaw (Bug 2) uses a bare store to publish the vCPU pointer into hyp_vm->vcpus[], allowing a concurrent pkvm_load_hyp_vcpu() caller to read a partially initialized vCPU object. No active exploitation has been identified and EPSS is 0.02%, consistent with a kernel subsystem bug affecting a specialized configuration rather than a broadly targeted attack surface.
Resource leak in the Linux kernel's RDMA/mana driver allows a local low-privileged user to exhaust kernel resources via a missing cleanup in the error unwind path of mana_ib_create_qp_rss(). The Microsoft Azure Network Adapter (MANA) InfiniBand subsystem fails to release mana_ib_cfg_vport_steering() allocations when QP RSS creation fails mid-flight, while the normal destroy path handles cleanup correctly - leaving the error path mismatched. No public exploit is identified and EPSS sits at 0.02% (5th percentile), reflecting very low real-world exploitation probability, though patches are confirmed available across multiple stable kernel branches.
Memory leak in the Linux kernel's Qualcomm ASoC q6apm-lpass-dai audio driver allows a local low-privileged user to exhaust kernel memory by repeatedly invoking the ALSA prepare callback, which opens multiple APM graphs on the playback path without corresponding release. Affected systems are limited to those running Qualcomm LPASS audio hardware across several Linux stable branches (6.6.x, 6.9.x, 6.10, 6.12.x). No public exploit exists and EPSS at 0.02% (5th percentile) reflects negligible real-world exploitation interest; the practical impact is local denial of service on Qualcomm SoC-equipped devices.
System hang vulnerability in the Linux kernel's libwx (WangXun) network driver affects systems using SR-IOV Virtual Functions. During VF initialization, the driver attempts to read register WX_CFG_PORT_ST, which is restricted to Physical Functions only; this illegal register access causes the system to hang, resulting in a complete denial of service. No public exploit exists and EPSS is 0.02%, but any system running a WangXun NIC with SR-IOV enabled and attaching a VF is directly exposed.
Memory leak in the Linux kernel's powerpc XIVE interrupt subsystem causes progressive kernel heap exhaustion on IBM POWER9+ systems when MSI-X vectors are allocated and then freed for PCI devices such as NVMe controllers. The regression was introduced by commit cc0cc23babc9 which refactored the XIVE/child interrupt controller relationship: xive_irq_free_data() subsequently used the wrong domain lookup path, causing every allocated struct xive_irq_data (64 bytes) to be orphaned on irqdomain teardown. No public exploit is identified and EPSS stands at 0.02% (4th percentile), consistent with the narrow hardware-specific scope and local-only access requirement.
Out-of-bounds kernel memory read in the Linux kernel's MediaTek Bluetooth driver (btmtk) lets a short or malformed WMT firmware event response trigger reads past the SKB tailroom in btmtk_usb_hci_wmt_sync(), potentially leaking adjacent kernel memory or crashing the host. The flaw affects systems using MediaTek USB Bluetooth controllers (MT76xx family) on kernels around 6.11 through release candidates of 7.1, scoring CVSS 7.1 with high confidentiality and availability impact. There is no public exploit identified at time of analysis and EPSS is negligible (0.02%), but a vendor fix is available across multiple stable branches.
The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.
Out-of-bounds heap read and infinite loop in the Linux kernel Bluetooth HCI event handler (hci_le_create_big_complete_evt) allows an adjacent attacker to trigger denial of service on systems with Bluetooth LE Isochronous (BIG) connections. The flaw arises when a malicious or malformed controller returns an LE_Create_BIG_Complete event with fewer bis_handle entries than expected, causing the kernel to read past the flex array and spin indefinitely while holding hci_dev_lock. No public exploit identified at time of analysis, and EPSS probability is very low (0.02%), but the issue is patched across multiple stable trees.
Race condition in the Linux kernel's MPTCP (Multipath TCP) path manager subsystem affects the mptcp_pm_add_timer() ADD_ADDR retransmission helper, where the timer callback runs in softirq context without holding the socket lock via bh_lock_sock(). The data race could lead to inconsistent socket state when concurrent operations touch the same MPTCP socket. Despite a CVSS of 9.8, EPSS is only 0.02% (5th percentile) and no public exploit identified at time of analysis; the tag 'Information Disclosure' suggests realistic impact is far below the headline score.
Race condition in the Linux kernel's NVMe/TCP target (nvmet-tcp) subsystem allows a remote NVMe/TCP host to trigger a double kref_put() on a queue object by sending an Initialization Connection Request (ICReq) and immediately closing the connection. The flaw, fixed in stable releases 6.12.88, 6.18.30, and 7.0.7 (mainline 7.1-rc2), stems from nvmet_tcp_handle_icreq() updating queue->state without serializing against concurrent target-side queue teardown, defeating the DISCONNECTING-state guard and enabling a use-after-free condition. No public exploit identified at time of analysis and EPSS is very low (0.02%), indicating limited real-world exploitation interest despite the headline 9.8 CVSS.
Remote denial-of-service in the Linux kernel's Soft RoCE (RDMA/rxe) driver allows unauthenticated attackers to crash the kernel by sending a single crafted 48-byte UDP packet to port 4791 with an undefined BTH opcode. The flaw triggers an out-of-bounds read in rxe_icrc_hdr() via crc32_le() due to zero-initialized rxe_opcode[] entries causing arithmetic underflow, panicking the host with no public exploit identified at time of analysis though EPSS is very low at 0.03%.
Kernel stack information leak in Linux rtnetlink's rtnl_fill_vfinfo() exposes up to 26 bytes of uninitialized kernel stack memory to any unprivileged local user on systems with SR-IOV NICs. The flaw exists because struct ifla_vf_broadcast (32 bytes) is declared on the stack without zeroing, only the first 6 bytes are filled via memcpy on Ethernet devices, and the full struct is transmitted to userspace via RTM_GETLINK responses. No public exploit is identified at time of analysis and EPSS is 0.02% (5th percentile), but the attack is trivially repeatable without any special privileges, making it a practical KASLR bypass primitive or sensitive-data harvesting tool on multi-tenant or shared-access Linux systems.
Availability impact in Linux Kernel KVM's x86 nested virtualization subsystem allows a low-privileged user operating within an L2 (nested) guest to trigger a host kernel denial-of-service via incorrect hypercall handling. The root cause is an incorrect guard condition in slow-flush hypercall paths: KVM checks `is_guest_mode(vcpu)` before calling `translate_nested_gpa()`, but that translation function is only valid when the L2 guest is running with nested EPT/NPT actually enabled - not merely when guest mode is active. No public exploit has been identified at time of analysis, and EPSS exploitation probability is 0.02% (5th percentile). Vendor-released patches are available across multiple stable branches.
Out-of-bounds read in the Linux kernel's dm-verity-fec (forward error correction) subsystem allows kernel memory disclosure or a crash when decoding Reed-Solomon parity data. The flaw affects the device-mapper verity FEC code where fec_decode_bufs() wrongly assumes parity bytes of the first RS codeword never span a parity-block boundary; with certain non-default fec_roots values combined with low-memory buffer-allocation failures, the decoder reads past the end of the parity block buffer. Tracked as CWE-125, it carries a 7.1 CVSS (local, low complexity per NVD) but a negligible EPSS of 0.02%, and there is no public exploit identified at time of analysis.
Local privilege escalation potential in the Linux kernel's btrfs filesystem stems from a double-free in create_space_info() when kobject_init_and_add() fails during sysfs registration. The flaw affects multiple stable Linux branches (6.6.x, 6.12.x, 6.18.x prior to the fixed releases) and could allow a local attacker with low privileges to corrupt kernel memory; no public exploit identified at time of analysis and EPSS is very low (0.02%).
Denial-of-service in the Linux kernel IPMI subsystem allows a system crash when the BMC (Baseboard Management Controller) returns a malformed empty event message buffer instead of a proper error code. The kernel's IPMI driver defers response size validation to later processing stages rather than checking immediately upon receipt, causing it to process invalid data from certain non-compliant BMC firmware. No public exploit exists and EPSS is 0.02% (5th percentile); the trigger is hardware-driven misbehavior rather than deliberate attacker input, but the availability impact is high (kernel panic). Patched kernel versions are available across multiple stable branches.
Improper error-path cleanup in the RDMA/mana driver's `mana_ib_create_qp_rss()` function allows a local low-privileged user on Azure VMs with Microsoft MANA NICs to crash the kernel. Two logic bugs in the WQ table unwind - a redundant `i--` that skips a cleanup iteration, and a missed `mana_destroy_wq_obj()` call when `mana_ib_install_cq_cb()` fails - leave kernel objects in a dangling state, producing a high-availability (DoS) impact. No public exploit exists and EPSS is at the 5th percentile; this vulnerability is not in CISA KEV.
Use-after-free/double-free in the Linux kernel's mac80211 wireless subsystem affects systems with Multi-Link Operation (MLO) Wi-Fi connections when debugfs is enabled. The flaw occurs when connection preparation fails for MLO connections and the interface is reset to non-MLD without removing the associated station, corrupting debugfs state. EPSS probability is 0.02% (5th percentile) and no public exploit identified at time of analysis, but the CVSS 8.8 score reflects high impact on adjacent-network reachable systems.
Information disclosure in the Linux kernel isofs filesystem allows authenticated NFS peers to read arbitrary in-range blocks from the backing device by submitting crafted NFS file handles to isofs_export_iget(). The flaw resides in isofs_fh_to_dentry() and isofs_fh_to_parent(), which previously only rejected block==0 before passing the attacker-controlled block number to sb_bread(), exposing unrelated adjacent-partition data as iso_inode_info fields returned to NFS clients. No public exploit identified at time of analysis, EPSS is 0.02% (5th percentile), and this is reported as hardening adjacent to the prior CVE-2025-37780 fix.
Use-after-free in the Linux kernel's DAMON sysfs interface (mm/damon/sysfs-schemes) lets a local actor with access to the 'memcg_path' file race a read against a concurrent write that frees the underlying buffer, accessing freed kernel memory. The flaw affects DAMON-enabled builds across the 6.6.96, 6.12.36, 6.15.5 and 6.16-rc lines, and is fixed by serializing both direct reads and writes under damon_sysfs_lock. EPSS is negligible (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.
Local privilege escalation and kernel memory corruption in the Linux kernel's IPv6 GRE (ip6_gre) subsystem stem from ip6erspan_changelink() using dev_net(dev) instead of the cached t->net after IFLA_NET_NS_FD migration, causing a tunnel to be re-inserted into the wrong per-netns hash. When the original network namespace is later destroyed, the stale entry triggers a slab-use-after-free (flagged by KASAN) and a kernel BUG at LIST_POISON1, reachable from an unprivileged user namespace. No public exploit identified at time of analysis, though the bug is trivially reachable via unshare and EPSS exploitation probability is low (0.02%).
Information disclosure and denial of service in the Linux kernel's libceph subsystem allows remote Ceph servers (or attackers able to spoof/MITM unauthenticated Ceph traffic) to trigger a slab-out-of-bounds read by sending a crafted CEPH_MSG_AUTH_REPLY message with a positive result value. The flaw causes the kernel client to send memory contents past the allocated front-segment buffer back over the wire, potentially leaking adjacent kernel heap data and destabilizing the host. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the CVSS of 9.1 reflects the network-reachable, no-privileges-required nature of the bug in affected Ceph client deployments.
Local privilege escalation and kernel memory corruption in the Linux kernel's RDMA/mana driver allows authenticated local users to trigger a user-reachable WARN_ON() and subsequently corrupt kernel memory by specifying Work Queues that share the same Completion Queue through the uAPI of mana_ib_create_qp_rss(). The flaw affects Linux 6.8 through versions before the patched 6.12.91, 6.18.30, 7.0.7, and 7.1-rc3 releases. No public exploit identified at time of analysis, and EPSS scoring is low at 0.02%.
Incorrect bvec coalescing in the Linux kernel's block layer (biovec_phys_mergeable) can merge physically contiguous bio_vec segments that belong to different zone-device dev_pagemaps, corrupting the ability to recover the correct pgmap via page_pgmap() for the merged segment. The flaw affects systems using zone device memory registered in multiple chunks (e.g., DAX/persistent memory or GPU/accelerator memory backends) and was fixed upstream; no public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Use-after-free in the Linux kernel's KVM x86 shadow MMU allows a malicious guest VM to corrupt host memory and potentially escalate privileges on the hypervisor. The flaw occurs when a guest modifies its page tables between VM entries, causing KVM to install rmap entries outside the expected GFN range of a direct-mapped shadow page; subsequent rmap walks (e.g., during dirty logging or MMU notifier invalidations from MADV_DONTNEED) then dereference a freed kvm_mmu_page. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug has existed since the earliest KVM versions and is now patched upstream.
Local privilege escalation risk in the Linux kernel's RDMA/hns driver stems from an unlocked call to hns_roce_qp_remove() in the error unwind path of hns_roce_qp_remove_common(). Low-privileged local users on systems with HiSilicon RoCE (hns) RDMA hardware could trigger the error flow to corrupt kernel memory, with EPSS at 0.02% indicating no known exploitation, and no public exploit identified at time of analysis.
Local privilege escalation potential in the Linux kernel Bluetooth subsystem (hci_conn) stems from a use-after-free in create_big_sync() when a Broadcast Isochronous Group (BIG) creation races against connection teardown. A local low-privileged attacker on a system with active Bluetooth LE Audio operations could trigger the freed hci_conn dereference through hci_connect_cfm()/hci_conn_del(), enabling memory corruption with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and EPSS is very low (0.02%, 5th percentile), reflecting limited weaponization despite the CVSS 7.8 rating.
Memory leak in the Linux kernel USB ULPI subsystem allows a local low-privilege attacker to gradually exhaust kernel memory by repeatedly triggering registration failures in the ulpi_register() function. A prior fix for a double-free (commit 01af542392b5) removed the kfree(ulpi) call on the device_register() failure path but inadvertently left the allocation unreleased when ulpi_of_register() or ulpi_read_id() fail before device_register() is ever reached. No public exploit exists and EPSS is 0.02%, indicating minimal real-world exploitation pressure; however, patched kernel stable releases are available across all supported branches.
Denial of service in the Linux kernel's IPMI SI (System Interface) driver results from improper state machine recovery when message allocation fails, leaving the driver stuck in a non-normal state and rendering the IPMI subsystem non-functional. Locally authenticated users with low privileges on affected systems with an active ipmi_si module can trigger this condition, typically under memory-pressure scenarios. No public exploit has been identified at time of analysis; EPSS at 0.02% (5th percentile) confirms negligible exploitation interest, and patches are available across multiple stable kernel branches.
Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.
Three concurrent race conditions in the Linux kernel's eventfs subsystem (tracefs) can be triggered during remount operations, leading to kernel denial-of-service via LIST_POISON1 pointer dereference or use-after-free. Systems running affected kernel versions with tracefs mounted are vulnerable when a local user with sufficient privilege simultaneously remounts the filesystem while kprobe events are being added or removed. No public exploit code has been identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low observed exploitation probability.
Local denial of service in the Linux kernel's mpt3sas SCSI driver allows a privileged local user to trigger a kernel oops by issuing oversized NVMe I/O operations against drives behind Broadcom/LSI MPT3 SAS HBAs. The flaw stems from a size mismatch between firmware-reported MDTS values and the driver's fixed 4K PRP list buffer, and no public exploit identified at time of analysis. EPSS is very low (0.02%, 4th percentile), consistent with a kernel reliability bug requiring local privileged access rather than a remote attack surface.
SELinux socket permission helpers in the Linux kernel misread security blob data in stacked LSM configurations, causing kernel crashes or incorrect AVC (Access Vector Cache) decisions. Specifically, sock_has_perm() and nlmsg_sock_has_extended_perms() dereference sk->sk_security directly under the assumption that the SELinux blob always sits at offset zero, which fails when another LSM allocates socket blob storage ahead of SELinux in a stacked configuration. No public exploit has been identified at time of analysis, EPSS is 0.02%, and patches are available for Linux 6.18.30 and 7.0.7.
Arbitrary file read in KubeVirt's virt-exportserver component allows authenticated namespace users to exfiltrate sensitive files from the exporter pod via symlink-based path traversal in the VMExport directory endpoint. The flaw, reported by Red Hat and impacting Red Hat OpenShift Virtualization 4, carries a CVSS 7.7 score driven by scope change and high confidentiality impact, though no public exploit identified at time of analysis.
Sensitive information exposure in the PDF Embedder WordPress plugin (all versions through 4.9.3) allows authenticated attackers with contributor-level access or higher to extract configuration data via the enqueue_block_assets hook. The severity of impact is installation-dependent: on sites running the premium add-on with a saved license key, attackers can exfiltrate that license key; on Lite-only installations, exposed data is limited to non-sensitive viewer settings such as dimensions, toolbar preferences, and usage tracking. No public exploit identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.
Insecure Direct Object Reference in the Meta Field Block WordPress plugin (all versions through 1.5.1) allows authenticated attackers with Contributor-level access to read arbitrary user meta, post meta, and term meta data from any object in the database by supplying unchecked object IDs and types via block attributes. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms this is remotely exploitable with low privilege and no user interaction, with a full confidentiality impact on metadata. Risk is materially elevated on sites running WooCommerce or similar plugins that persist PII - names, billing addresses, phone numbers, emails - in meta fields. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Arbitrary file write in Veeam Backup & Replication 13 (≤13.0.1) on Linux-based deployments allows an authenticated Backup Administrator to write files anywhere on the server filesystem, enabling code execution and full host compromise. CVSS 4.0 scores this 8.6 (High) due to network-reachable exploitation with high impact across confidentiality, integrity, and availability, though high privileges are required. No public exploit identified at time of analysis.
Information disclosure in Red Hat Build of Keycloak exposes client protocol type to unauthenticated remote attackers via error message enumeration. By submitting specially crafted SOAP requests targeting the SAML ECP (Enhanced Client or Proxy) endpoint with varying client IDs, an attacker can observe distinct faultstring values in server responses and map which clients use which protocol types. No authentication, user interaction, or elevated privileges are required, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation is straightforward against any exposed instance. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.
Policy enforcement bypass in Red Hat Build of Keycloak's Client Policies framework allows unauthenticated remote attackers to obtain OAuth2 tokens via the Resource Owner Password Credentials (ROPC) grant even when an explicit `reject-ropc-grant` executor is configured to block it. The bypass is triggered specifically when certain condition providers - client-type, client-roles, client-attributes, or client-scopes - are used within the same policy, causing silent executor skipping rather than a fail-closed enforcement error. Successful exploitation results in unauthorized token issuance and potential information disclosure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Arbitrary user data manipulation in SourceBans Material Admin web application before v1.1.6 (commit 3ecd95e) allows remote unauthenticated attackers to alter other users' records by sending crafted XAJAX calls. The flaw stems from insufficient input validation (CWE-20) in the XAJAX request handler and is tagged as an Information Disclosure issue. No public exploit has been identified at time of analysis, and EPSS scores the likelihood of near-term exploitation at only 0.02% (5th percentile).
Unauthenticated information disclosure in FUXA 1.3.0 (web-based SCADA/HMI server, npm package fuxa-server) lets remote attackers retrieve full project configuration from the GET /api/project endpoint even when secureEnabled is turned on. The exposed data includes server-side script source code, device connection details, HMI view layouts with tag bindings, and alarm definitions. Publicly available exploit code exists (a single unauthenticated curl request demonstrated in the GitHub advisory), and the CVSS vector confirms unauthenticated network exploitation rated 7.5 (confidentiality-only impact); there is no public exploit identified as actively exploited in CISA KEV.
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditionally emitting an `Access-Control-Allow-Origin: *` header, which overrides the `allowed-origins`/`allowed-hosts` controls added during beta and opens the endpoint to DNS rebinding. Any deployment using the SSE transport under MCP specification v2024-11-05 is affected, letting a remote attacker who lures a victim to a malicious web page read the victim's Toolbox/database tool responses cross-origin. Rated CVSS 4.0 9.4 with an upstream fix merged in PR #3054; no public exploit has been identified and the issue is not on CISA KEV.
Uncontrolled memory consumption in the Symfony Yaml component lets remote attackers trigger a "Billion Laughs" denial-of-service by supplying crafted YAML in which collection aliases recursively reference other alias-bearing collections, expanding a tiny input into a multi-gigabyte structure that exhausts process memory. Affected versions include symfony/yaml and symfony/symfony < 5.4.52, 6.x < 6.4.40, and 7.x < 7.4.12 (with an 8.0.12 release also published). No public exploit identified at time of analysis and EPSS is low (0.08%), but the flaw is trivially reachable by any application parsing untrusted YAML with the affected component.
Unauthenticated information disclosure in Automad CMS (Composer package automad/automad) versions 2.0.0-alpha.1 through 2.0.0-beta.27 lets any remote attacker retrieve the bcrypt password hash of every administrator account through a single POST request to the setup endpoint. The /_api/user-collection/create-first-user endpoint stays publicly reachable after initial configuration and returns fully serialized user records, and in 2.0.0-beta.27 it additionally leaks TOTP two-factor secrets. There is no public exploit identified at time of analysis, but exploitation is trivial (network, no authentication, no user interaction) and the issue was fixed in 2.0.0-beta.28.
Thread-safety flaws in pam_usb's deny_remote feature allow incorrect remote-session authentication decisions in display managers like GDM that run concurrent authentication threads. Three functions use the non-reentrant strtok(), whose single global state pointer can be overwritten mid-parse by a racing thread, corrupting tmux session data or /proc environ analysis used to classify sessions as local or remote. Compounding this, strtok() is called directly on the raw pointer returned by getenv(TMUX), inserting NUL bytes directly into the live process environment block and permanently corrupting the TMUX variable for all subsequent authentications in that long-lived process. An attacker with local low-privileged access on an affected system running GDM could exploit thread interleaving to cause deny_remote=true to pass a remote session as local. No public exploit identified at time of analysis; CVSS 6.3 with local, high-complexity attack vector.
Authentication/claim-validation bypass in Symfony's OidcTokenHandler (symfony/security-http 6.3.0–6.4.39, 7.4.0–7.4.11, 8.0.0–8.0.11) lets a validly-signed JWT that simply omits the aud, iss, and exp claims pass verification, because the handler never marks those claims as mandatory. Attackers holding such a token can be authenticated as a valid identity — for example a token issued for a different audience or one that should have expired is accepted. There is no public exploit identified at time of analysis, and EPSS is very low (0.05%, 16th percentile).
Argument (option) injection in Symfony Mailer's SendmailTransport lets a dash-prefixed recipient address be interpreted as a sendmail command-line flag, allowing an attacker who controls a recipient value to manipulate how the local sendmail binary is invoked. It affects symfony/mailer (and the monolithic symfony/symfony) before 5.4.52, 6.4.40, 7.4.12 and 8.0.12 when the transport runs in `-t` mode. No public exploit identified at time of analysis; EPSS is low (0.06%, 20th percentile) and the issue is not in CISA KEV, but the NVD CVSS 4.0 score is 8.7 (High) driven by a high integrity impact.
Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.
Mass assignment vulnerability in DFIR-IRIS before 2.4.28 enables authenticated low-privileged users to modify object attributes that the application should restrict from client control. Exploitable remotely with no complexity or user interaction required (AV:N/AC:L/PR:L/UI:N), the flaw can allow unauthorized modification of case data, ownership fields, or other model attributes beyond what the interface intentionally exposes. No public exploit code identified at time of analysis, and the CVE is not listed in CISA KEV; however, it was disclosed as part of a coordinated multi-CVE advisory by SBA Research covering five distinct vulnerabilities in the same product version.
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Email-header and SMTP command injection (CWE-93) in Symfony's Mime component (symfony/mime, also shipped in the symfony/symfony monolith) lets an attacker who controls any address value smuggle CRLF sequences past a trusted validation boundary. The Address value-object - used for every Mailer to/cc/bcc/from/reply-to address - accepts an RFC-5322 quoted-string local-part containing raw carriage-return/line-feed bytes, which is later emitted verbatim into rendered message headers and into SmtpTransport's MAIL FROM/RCPT TO lines, allowing injection of new headers (e.g. an unauthorized Bcc) or new SMTP commands. It affects symfony/mime before 5.4.52, 6.4.40, and 7.4.12; there is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Symfony HtmlSanitizer's UrlSanitizer::parse() passes Unicode BiDi override characters (U+202A-U+202E, U+2066-U+2069) unchanged into href and src HTML attributes, enabling visual URL spoofing against any application that renders sanitized user-supplied HTML to other users. All HtmlSanitizer configurations that permit links or media elements are affected across symfony/html-sanitizer 6.1.0-6.4.39, 7.0.0-7.4.11, and 8.0.0-8.0.11, as well as the bundled symfony/symfony 6.1.0-6.4.39. No public exploit has been released and this CVE is not listed in CISA KEV, but the BiDi spoofing technique is a well-documented, low-complexity phishing primitive requiring no authentication on the attacker's side.
PATH hijacking in pam_usb helper tools prior to version 0.9.0 allows a local low-privileged attacker who can manipulate the process environment to substitute malicious binaries for those called by pamusb-check, pamusb-conf, and pamusb-keyring-unlock-gnome, resulting in high confidentiality and integrity impact. The root cause is CWE-427 (Uncontrolled Search Path Element): all three tools resolved external binaries - including id, whoami, pidof, gnome-keyring-daemon, and pamusb-check itself - through the attacker-controllable PATH variable rather than hardcoded absolute paths. No public exploit code exists and this vulnerability is not listed in CISA KEV at time of analysis.
Concurrent PAM invocations in pam_usb prior to 0.9.1 expose a process-wide static pointer race condition in src/log.c, where each PAM call overwrites a shared static pointer with the address of a stack-local variable. When multiple threads invoke the PAM stack simultaneously - a normal condition in multi-threaded Linux services such as SSH daemons or display managers - one thread's logging pointer can reference another thread's already-deallocated stack frame, causing availability loss (crash/hang) or limited integrity corruption. No public exploit has been identified at time of analysis, and this is not listed in CISA KEV.
Denial of service in CrowdSec's Local API (LAPI) HTTP router, versions 1.7.0 through 1.7.7, lets attackers exhaust process memory by posting small gzip-compressed bodies that decompress into hundreds of megabytes of valid JSON. The global gin-contrib/gzip DefaultDecompressHandle middleware decompressed request bodies with no size cap, and because /v1/watchers and /v1/watchers/login require no authentication, concurrent requests drive the OS OOM-killer to terminate LAPI. No public exploit identified at time of analysis; EPSS is low (0.07%). Impact is bounded in default deployments since LAPI listens only on loopback, but multi-server setups that expose LAPI to the network are at real risk.
Authentication bypass in pam_usb prior to 0.9.1 allows a local low-privileged user to circumvent hardware token requirements by exploiting silent EACCES error suppression in the virtual input device scanner. When the PAM module's evdev.c component fails to open /dev/input/event* nodes due to permission errors, it returns a false negative indicating no virtual devices are present, and the caller in local.c proceeds with authentication as if the hardware check passed cleanly. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Remote code execution in Langroid before 0.63.0 arises because its SQLChatAgent executes SQL text generated by an LLM, and that LLM is steerable through prompt injection — including indirect injection via data returned from the database into the model's context. When the agent connects with a database role holding code-execution or filesystem privileges, an attacker who shapes the agent's input can drive emission of dialect-specific primitives like PostgreSQL's COPY ... FROM PROGRAM to run OS commands on the database host. A full working proof-of-concept (Base64-smuggled COPY FROM PROGRAM running 'id') is published in the GitHub advisory; there is no entry in CISA KEV, so this reflects publicly available exploit code rather than confirmed active exploitation.
Unauthorized CI data access in GitLab CE/EE allows an authenticated low-privileged user to read CI pipeline data from a ref type (branch, tag, or merge request ref) other than the one they are authorized to view, under certain unspecified conditions. All GitLab installations - both Community and Enterprise editions - running versions from 12.7 through the unpatched releases are affected. The vulnerability is classified as information disclosure with low confidentiality impact; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.
Sandbox escape in OneUptime before 10.0.98 lets an authenticated user break out of the Node.js vm-module isolation that the platform relies on to safely run untrusted logic, gaining code execution in the host context. The vm module was never intended as a security boundary and can be escaped using error objects and infinite recursion, yielding full confidentiality, integrity, and availability impact (CVSS 9.9, scope-changed). No public exploit is identified at time of analysis, but the escape technique is well-documented for the Node.js vm module generally.
Server-side request forgery in Budibase before 3.39.0 lets an authenticated user with the BUILDER role coerce the platform into making attacker-controlled outbound requests by setting a malicious OAuth2 token endpoint URL. Because the token fetch path bypassed the codebase's existing SSRF-blocking HTTP wrapper, responses from internal-only services such as the CouchDB database or cloud instance metadata endpoints can be exfiltrated. No public exploit identified at time of analysis, but the flaw is straightforward to trigger and EPSS/KEV signals were not supplied.
Sensitive credential disclosure in Budibase low-code platform versions prior to 3.38.3 allows any authenticated low-privilege user to retrieve a configured Snowflake datasource's private key in plaintext. The flaw stems from an incomplete secret-masking filter that only redacts fields typed as PASSWORD, leaving the Snowflake privateKey field (typed SENSITIVE_LONGFORM) exposed through the GET /api/datasources/:datasourceId endpoint. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in 3.38.3.
Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. No public exploit has been identified at time of analysis and no EPSS score is provided, but the issue fully defeats the second authentication factor.
Embedded malicious code in Nx Console (the editor extension for Nx and Lerna) version 18.95.0 turned a trusted developer tool into a trojan during a brief publish window on 19 May 2026. The poisoned build was live on the Visual Studio Marketplace for roughly 18 minutes (12:30-12:48 UTC) and on OpenVSX for roughly 36 minutes (12:33-13:09 UTC); any developer who installed or auto-updated during those windows executed attacker-controlled code inside their IDE, tagged here as information disclosure. It is confirmed actively exploited (CISA KEV) and publicly available exploit code exists, with CISA SSVC rating exploitation as active, automatable, and total technical impact; the clean release 18.100.0 is the fix.
Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circumvent fingerprint or PIN protection and access locked applications such as Chrome. The flaw stems from the app's reliance on a custom UI overlay rather than enforcing authentication at a deeper system level - cascading interface navigation triggered via advertisement or browser intents exposes routes that allow the attacker to exit the lock screen without re-authenticating. No public exploitation (CISA KEV) has been confirmed, but a researcher-published proof-of-concept exists on GitHub, and EPSS is low at 0.04% (11th percentile), consistent with the physical-access requirement limiting opportunistic exploitation.
Protocol-relative URL injection in Symfony's UrlGenerator allows open redirect via regex alternation bypass in route parameter validation. When route requirements use alternation patterns (e.g., `_locale: 'en|fr|vi|de'`), the validation regex `#^REQUIREMENT$#` fails to anchor middle alternatives due to regex operator precedence, enabling substring matching against attacker-supplied values. An attacker who can influence route parameters fed into the Twig `path()`/`url()` helpers can inject a value like `/evil.com` - which satisfies the requirement by containing `vi` as a substring - causing UrlGenerator to produce `//evil.com/...`, a protocol-relative URL the browser navigates off-site. No public exploit is identified at time of analysis, and the vulnerability is not listed in CISA KEV; patches are released across all supported Symfony branches.
Path traversal in Webmin's mailboxes component before version 2.640 lets an authenticated user write saved attachment files outside the intended directory by controlling the attachment's filename. The flaw lives in mailboxes/detachall.cgi, which constructs the on-disk filename directly from the email attachment's MIME name without stripping path separators, so a crafted name can redirect the write to an attacker-chosen location. Carrying a CVSS 4.0 base score of 9.4 with total technical impact, the issue is fixed in 2.640; CISA's SSVC framework currently lists exploitation status as none and no public exploit has been identified.
Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 797.v90ea_a_9b_e45a_0 and earlier), where the plugin fails to prohibit symbolic links inside shared libraries. An attacker who can control the contents of a shared library consumed by a Pipeline job can plant symlinks that resolve to sensitive files (credentials, secrets, configuration) on the controller filesystem and exfiltrate them through the build. There is no public exploit identified at time of analysis, and SSVC marks exploitation status as none, so this is a patch-and-move-on issue rather than an active-exploitation emergency.
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets users who can control email content abuse the data-inline image attribute to supply file: URLs, causing the Jenkins controller to read local files and embed their contents as base64 inside outgoing emails. An authenticated attacker with rights to edit job email configuration or templates (CVSS PR:L) can exfiltrate controller secrets, credentials, and configuration. There is no public exploit identified at time of analysis and CISA's SSVC rates exploitation as none, but the CVSS 8.8 score and 'total' technical impact make controller secret theft a serious concern in shared Jenkins environments.
Information disclosure in IBM Business Automation Workflow (containers and traditional deployments) exposes internal database schema details through application error messages to authenticated low-privilege users. Affecting versions across the 24.0.0, 24.0.1, 25.0.0, and 25.0.1 release lines, a network-accessible authenticated attacker can deliberately trigger error conditions to harvest database structure information - table names, column names, or schema layout - without needing elevated permissions. No public exploit code exists and no active exploitation is confirmed; SSVC assessment classifies this as non-automatable with partial technical impact, consistent with its limited confidentiality scope.
Credential exposure in IBM Guardium Data Protection's Long Term Retention (LTR) add-on feature allows authenticated network users to obtain sensitive credentials when the system is operating in debug mode. Affected versions are 12.2.1 (up to and including Fix Pack 4.4.7 Fix Pack 1) and 12.2.2. The high confidentiality impact (C:H) reflects that fully valid credentials - not just partial data - may be disclosed, potentially enabling lateral movement or privilege escalation within the data protection infrastructure. No public exploit has been identified at time of analysis, and SSVC assessment confirms no active exploitation.
Denial-of-service via uncontrolled recursion in the IBM i Integrated Language Environment (ILE) compiler affects versions 7.3, 7.4, 7.5 (≤12.1.4), and 7.6 (≤11.5.9). An authenticated network attacker can crash or hang the ILE compiler by submitting specially crafted source code containing a specific combination of statements that triggers infinite or deeply nested recursive processing. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low complexity and authenticated-only barrier makes this plausible for insider threat or compromised credential scenarios.
Sensitive information disclosure in IBM App Connect Enterprise 13.0.1.0 through 13.0.7.0 exposes potentially sensitive data via log files accessible to local users. The CVSS vector (AV:L/PR:L) confirms exploitation requires local, low-privileged authenticated access, limiting the attack surface to users already present on the system. No public exploit has been identified and CISA SSVC rates exploitation as none, but the confidentiality impact is rated High, meaning successful access to log files could yield significant sensitive data.
Local File Inclusion in the SeedProd Pro WordPress plugin (all versions before 6.19.5) lets an authenticated, low-privileged user coerce a PHP include/require statement into loading attacker-influenced local files, leading to disclosure of sensitive server-side files and potential code execution if a controllable file (e.g. an uploaded payload or log) can be included. The flaw, reported by Patchstack and classified CWE-98, carries a CVSS 3.1 base score of 7.5 with high attack complexity. There is no public exploit identified at time of analysis, and CISA SSVC rates exploitation as 'none', indicating this is currently a patch-and-move-on item rather than an emergency.
Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.
Memory leak in the Linux kernel's CAN UCAN USB driver allows a local low-privileged user to exhaust kernel memory by repeatedly triggering driver unbind cycles without physical device disconnection. The flaw (CWE-401) exists because devres-managed buffers are incorrectly scoped to the parent USB device rather than the USB interface, so they are never released during software-initiated unbind events such as probe deferral or configuration changes. No public exploit code exists and EPSS sits at 0.02% (5th percentile), indicating near-zero real-world exploitation probability despite the CVSS Availability: High rating.
Remote denial of service in the Linux kernel's stream parser (strparser) subsystem allows attackers to exhaust memory by repeatedly triggering message assembly timeouts that fail to release partially assembled skb buffers. The flaw resides in strp_abort_strp(), which leaks strp->skb_head on abort, and affects kernels from at least 4.9 through the 6.x and 7.x release lines until the fix introduced in 6.6.140, 6.12.86, 6.18.27, 7.0.4, and 7.1-rc1. No public exploit identified at time of analysis, and EPSS (0.02%, 5th percentile) reflects low predicted exploitation in the next 30 days despite the CVSS 7.5 rating.
Undefined behavior in the Linux kernel's nftables bitwise expression handler allows a local attacker with low privileges to crash the kernel. The nft_bitwise subsystem failed to reject zero-value shift operands during rule initialization; a zero shift causes the carry propagation formula (BITS_PER_TYPE(u32) - shift = 32 - 0 = 32) to perform a 32-bit shift of a 32-bit type, which is undefined behavior in C and can result in a kernel panic. No public exploit is identified at time of analysis, and EPSS at 0.02% (5th percentile) indicates very low automated exploitation activity, consistent with the local-only attack vector requiring nftables configuration privileges.
Local privilege-impacting memory corruption in the Linux kernel's AFS filesystem can be triggered by an authenticated local user mapping AFS files, leading to a refcount leak that can cause kernel resource exhaustion or use-after-free conditions affecting confidentiality, integrity, and availability. The flaw stems from an incorrect conversion of AFS's mmap handler to the new .mmap_prepare() interface (commit 9d5403b1036c), which leaks reference counts when a VMA merge or allocation failure occurs after the prepare call. No public exploit identified at time of analysis and EPSS rates exploitation likelihood at just 0.02%.
Use-after-free in the Linux kernel's IPv6 SR (seg6) and RPL lightweight tunnel input paths can be triggered on PREEMPT_RT builds when a higher-priority task races ksoftirqd during a concurrent FIB lookup on a shared nexthop. The flaw causes dst_cache_set_ip6() to call dst_hold() on a freed per-CPU route, producing a kernel warning or memory corruption that an attacker on the network could leverage for denial of service or potential code execution. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis.
Use-after-free in the Linux kernel's edt-ft5x06 capacitive touchscreen driver (CWE-416) lets a local actor with access to the driver's per-client debugfs interface read or corrupt freed kernel memory during device teardown. The regression was introduced by commit 68743c500c6e, which removed manual debugfs cleanup and left a window where debugfs files referencing tsdata->raw_buffer remained accessible after the buffer was freed. No public exploit identified at time of analysis; EPSS is very low (0.02%, 4th percentile) and it is not in CISA KEV, but a vendor (stable-tree) patch is available.
Memory leak in the Linux kernel's TPM2 session subsystem allows a local low-privileged user to exhaust kernel memory over time via repeated invocations of the vulnerable tpm2_read_public() function. The function allocates a kernel buffer via tpm_buf_init() but fails to call tpm_buf_destroy() on both its success path and its error path triggered by an unrecognized hash algorithm, leaking a page allocation each time. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% at the 4th percentile reflects very low real-world exploitation probability.
Race condition in the Linux kernel's md/md-llbitmap subsystem can cause availability loss on systems using software RAID with bitmap tracking. The barrier raise in llbitmap_start_write() and llbitmap_start_discard() occurs after the state machine transition is initiated, creating a window where concurrent state changes proceed without synchronization - potentially crashing the RAID subsystem or rendering an md array unavailable. No public exploit has been identified at time of analysis, and the EPSS score of 0.02% (4th percentile) reflects negligible automated exploitation risk. Patches are available across multiple stable kernel branches.
Out-of-bounds read in the Linux kernel's ext4 filesystem driver allows a local attacker to read up to 3 bytes beyond a valid extended-attribute (xattr) region, potentially leaking adjacent kernel memory or crashing the system. The flaw lives in check_xattrs(), where a loose bounds check on the next xattr entry lets IS_LAST_ENTRY() perform a 4-byte read that overruns the buffer when parsing a crafted or corrupted ext4 xattr block. It is not in CISA KEV and no public exploit identified at time of analysis; EPSS is negligible at 0.02% (5th percentile), consistent with a low-impact local memory-safety bug that has already been patched upstream.
Concurrent execution race in the Linux kernel's mm/vmalloc subsystem allows a local low-privileged attacker to trigger memory corruption or leaks by exercising the vmap_node shrinker simultaneously with lazy vmap purge operations. The flaw stems from unserialized invocation of decay_va_pool_node() between __purge_vmap_area_lazy() and the shrinker path. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but the issue is patched upstream in the stable tree.